1. Field
This invention relates to the field of data security, such as secure storage and retrieval of sensitive medical and financial data, multifactor authentication, access control, remote control of devices in absentia, such as in the case of home automation and other remote devices, as well as biometrics. It specifically relates to multifactor authentication for gaining access to a place or a resource such as a data bank, or conducting transactions, using handheld (mobile) or fixed devices. It is also related to near field communication and other wireless communication techniques as well as cryptography and key exchange encryption techniques such as symmetric and asymmetric hashing and encryption.
2. Description of the Related Art
Mobile devices such as smartphones, personal digital assistants (PDAs), as well as many other handheld devices are being used as authentication devices for financial as well as access transactions. In some countries these devices are providing the means for cash transactions in the same way a debit card is used. Some African countries have even been using these devices as prepaid credit devices which may be used for cash transactions simply by having the credit transferred from one phone to another. These are mostly done using the mobile network. In addition, there have been applications where a mobile device is used to access a data repository using well-established authentication methods, as well as hard-wired access control devices used for physical access to restricted areas. Some of these systems have also used biometrics such as fingerprint and iris recognition at fixed entry systems.
ICT Regulation Toolkit is a toolkit which is generated by the Information for Development Program (InfoDev) and the International Telecommunication Union (ITU). A Practice Note [1] gives many different examples of financial services which are available through the use of a mobile phone. These include, Branchless Banking Models, such as the WIZZIT service [2] in South Africa, Mobile Payment systems such as M-PESA in Kenya, Globe Complete G-Cash service in the Philippines, and Airtime Transfers [3] in Egypt, South Africa, and Kenya. See [1] for details.
However, the listed transactions currently rely on one or two of the following two authentication factors:
1. Possession of an item (something one owns).
2. Knowledge of a fact (something one knows).
In the scenario described at the beginning of the Description of the Related Art, the phone is being used as an item being owned (1st authentication factor). In this case, if the phone is stolen or used without permission, one or more transactions may take place before the phone may be deactivated or the credit may be blocked. In fact, technically, the possession of the phone is equivalent to the old standard of possessing currency.
To reduce the chance of the fraud described in the previous paragraph, some implementations also require another factor in the form of something the person knows (2nd factor), such as a challenge passcode. However, most such passcodes are simple to ascertain and to abuse in order to attain unlawful access to the funds associated with the telephone.